|
|
To establish a username-based authentication system at login, even though your network cannot support a TACACS service, use the username global configuration command.
username name [access-class access-class-num]
name | Specifies the username to which this command applies. The name argument can only be one word. White spaces and quotation marks are not allowed. |
access-class-num | Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session. |
command | Specifies a command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain imbedded spaces, commands using the autocommand keyword must be the last option on the line. |
dialstring | Specifies a dialback string for connections initiated by the user. |
line | Specifies a line to associate with this callback. |
group | Specifies a rotary group to associate with this callback. |
nocallback-verify | Does not require authentication after callback. |
noescape | Prevents a user from using an escape character on the host to which that user is connected. |
nohangup | Prevents the communication server from disconnecting the user after an automatic command (set up with the autocommand keyword) is complete. Instead, the user gets another login prompt. |
dnis | No password is required for this user when obtained via DNIS. |
nopassword | No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword. |
encryption-type | A single-digit number that defines whether the text immediately following is encrypted and if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using an encryption algorithm defined by Cisco.\
|
password | A password can contain embedded spaces and must be the last option specified in the username command. |
level | Sets the user privilege level. |
Global configuration
The username command provides username/password authentication for login purposes only. (Note that it does not provide username/password authentication for enable mode when the enable use-tacacs command is also used.)
Multiple username commands can be used to specify options for a single user.
Add a username entry for each remote system that the local switch communicates with and requires authentication from. The remote device must have a username entry for the local switch. This entry must have the same password as the local switch's entry for that remote device.
This command can be useful for defining usernames that get special treatment, for example, an "info" username that does not require a password but connects the user to a general-purpose information service.
The username command is also required as part of the configuration for the CHAP. For each remote system that the local switch communicates with from which it requires authentication, add a username entry.
If there is no secret specified and debug serial-interface is enabled, an error is displayed when an interface is established and the CHAP challenge is not implemented. Debugging information on CHAP is available using the debug serial-interface and debug serial-packet commands. For more information about debug commands, refer to the Debug Command Reference publication.
To implement a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the switch, the username command takes the following form.
Switch# username who nopassword nohangup autocommand show users
To implement an information service that does not require a password, the command takes the following form.
Switch# username info nopassword noescape autocommand telnet nic.ddn.mil
To implement an ID that works even if all TACACS servers go down, the command takes the following form.
Switch# username superuser password superpassword
The following example configuration enables CHAP on interface serial 0. It also defines a password for local server Adam and remote server Eve.
Switch# hostname Adam
Switch# interface serial 0
Switch# encapsulation ppp
Switch# ppp authentication chap
Switch# username Adam password oursystem
Switch# username Eve password theirsystem
When you look at your configuration file, the passwords are encrypted and the display looks similar to the following output.
Switch# hostname Adam
Switch# interface serial 0 encapsulation ppp
Switch# ppp authentication chap
Switch# username Adam password 7 1514040356
Switch# username Eve password 7 121F0A18
|
|